Valve admits forum hack exposed gamers' privates

Steam, the online platform of video game firm Valve Corporation, has admitted that customer personal details including encrypted credit card information might have been exposed by a hack attack last weekend.

The hack led to the creation of a new "promoted" discussion thread on the Steampowered forum, ostensibly promoting a site offering gaming cracks. In addition, some users began receiving spam promoting the same site.

The Steampowered site was suspended, initially without explanation. However, in an updated message posted on Thursday (below), forum administrators admitted the site had been hacked and that the collateral damage caused extends well beyond that caused by a simple defacement.

Back-end databases – holding sensitive data including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information – were also breached. Users are advised to change their passwords and to keep a close eye on their bank statement, in case crooks manage to use the stolen data to commit fraud or perhaps to run identity theft scams.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they log in. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

News of the breach coincides with the release of Skyrim, the fifth game in Bethesda Software's popular Elder Scrolls series; unlocking the game and playing it online required access to Steam's online services.

Steam's game servers were taken offline, as a precaution, following the breach on its forums but they were back online in time for the Friday launch of the game, avoiding the need to delay the launch, as net security Sophos reports.

More than 1,400 games are available through Steam, which has an estimated 35 million active user accounts. How many of these accounts also use the Steampowered forums affected by the breach is unclear, but the figure probably runs comfortably into the millions.

Paul Ducklin of Sophos has some pointers for gamers on precautions to take following the Steam breach, the latest attack on only gaming firms over recent months, here.

The most notorious incidents in an annus horribilis for gaming firms was the April hack on the PlayStation Network, which exposed the private data of millions, leading to the network's weeks-long suspension. Victims of lesser attacks have included Nintendo, Bethesda and Sega, among others. ®